Welcome to the Cisco Networking Professionals Ask the Expert conversation. This is an opportunity to learn with Cisco expert Sachin Gupta how embedded deep packet inspection capabilities on the Catalyst 6500 deliver Stateful Application Intelligence and Integrated Security. Sachin is a senior manager in the Catalyst 6500 product management team. He has been at Cisco for 10 years and has held leadership roles in Customer Advocacy and the IOS Technologies division before joining the Catalyst 6500 team four years ago.

Remember to use the rating system to let Sachin know if you have received an adequate response.

Sachin might not be able to answer each question due to the volume expected during this event. Our moderators will post many of the unanswered questions in other discussion forums shortly after the event. This event lasts through June 1, 2007. Visit this forum often to view responses to your questions and the questions of other community members.

This forum is really to discuss new application intelligence and security capabilities of the Catalyst 6500 with Supervisor Engine 32 PISA. I recommend that you get your question answered through Cisco TAC.

I know this is for the expert,, but im not an expert, just started my carrer in networking, hope you could help me with my wonderings :) :) I am very much interested in multi-layer switching, using RSM and the route switch feature card and the supervisor engines management specifically on switching, bridging, trunking, STP, routing(internal-routing), ACL, though i had already an idea on those i mention, just want to know how the multilayer switch deal with those since it is already integrated, its operations, how, to's,, do you mind sir if you can give me something to read for me know its operation.. Hope you could help me sir,, your help would greately appreciated. thank so much.

DARPI - Dynamic ARP Inspection. This is a serious Layer 2 security vulnerability where attacker can use ARP poisoning. To mitigate this issue, DHCP Snooping along with Port Security need to be configured.

Flexible Packet Matching allows you to filter at any offset in the packet whereas ACLs are limited to L4 ports. For example, the Slammer worm is a UDP packet that has a certain bit string at a 224 byte offset - ACLs can't match this exactly but FPM can. You can examples of FPM filters at:

I know this is for the expert,, but im not an expert, just started my carrer in networking, hope you could help me with my wonderings :) :) I am very much interested in multi-layer switching, using RSM and the route switch feature card and the supervisor engines management specifically on switching, bridging, trunking, STP, routing(internal-routing), ACL, though i had already an idea on those i mention, just want to know how the multilayer switch deal with those since it is already integrated, its operations, how, to's,, do you mind sir if you can give me something to read for me know its operation.. Hope you could help me sir,, your help would greately appreciated. thank so much.

You are good with Sup720! If you are using your 6513 in a campus access (wiring closet) or Enterprise WAN type of deployment, Sup32 PISA offers you the ability apply QoS and Security policies to traffic flows based on application or based on patterns deep in the packets. Basically, you can prioritize based on HTTP URL, or match things like Citrix or VoIP statefully. You can also block BitTorrent or Skype - if that is your corporate policy. And you can do all this in hardware at multi-Gigabit speeds.

The Stateful Application Intelligence piece uses "PDLM" files to describe new protocols which today come from Cisco. We are hoping to enable this functionality for customers in CY08. You can define some protocols on your own today using the CLI but not very complex ones.

The Flexible Packet Matching function can be completely configured through an XML definition language.

Whit PISA can I inspect the new versions of skype or P2P applications ?

In the previous post you tell "with PISA you can block Skype and P2P tech": with NBAR I can't block the Skype protocol version 2.x or 3.x ... and I think the new version of P2P protocols with "protocol obfuscation" are in the same situation ...

3)

The Pisa tech. will be implemented in the FWSM module ? and in the Supervisor 720 ?

2) PISA can stop new versions of Skype and P2P applications during login pretty easily using Flexible Packet Matching. NBAR definitions for newer versions of the protocols take a little longer to develop but we plan to make them available.

3) There are no plans to integrate this functionality in the FWSM since we see these these as complementary products with specialized functions. There are no committed plans for PISA on Sup720 at this time.